The hacker organization Shadow Brokers issued a confidential document of the NSA formula on April 14, 2017, which contains multiple Windows remote exploit tools that can cover 70% of the world’s Windows servers. To guarantee your business security on Alibaba Cloud, follow up this issue.

See the following for more information about the vulnerability.

CVE identifier

None

Vulnerability name

Windows multiple SMB/RDP remote command execution vulnerabilities

Vulnerability rating

High

Vulnerability description

The hacker organization Shadow Brokers issued a confidential document of the NSA formula, which contains multiple Windows remote exploit tools that can cover 70% of the world’s Windows servers. These tools have the ability to leverage SMB and Remote Desktop Protocol (RDP) to initiate server intrusions.

Condition and method of exploitation

The released tools are used to run code remotely.

Affected scope

The affected Windows versions include but are not limited to the following:

Check whether Ports 137, 139, 445, and 3389 of your server are enabled externally. You can use the Telnet command to test Port 445 of the target address from an external computer, for example, telnet 114.114.114.114 445.

Microsoft has released the announcement Protecting customers and evaluating risk. We strongly recommend that you install the latest patch for your ECS instances in use. Alibaba Cloud users can download and install the patches by means of Windows Update or manually. Alternatively, you can fix the vulnerability by one click in the ECS console.

Install the patches by means of Windows Update

Choose Start > Control Panel > Windows Update.

Click Check for Updates.

Click Install Updates.

After the installation is complete, restart the system to make the patch take effect.

Download the patches manually

Open the patch download URL, download the patch that is compatible with your operating system, and double-click the patch to install it.

Note: We recommend that you perform testing before installing the patch on your business server. Restart the server after the patch is installed.

Fix the vulnerability by one click in the ECS console

Configure a network access control policy in the inbound direction of the Internet. If your business does not use Ports 137, 139, and 445, log on to the ECS console, go to the Security Group page, and click Configure Rules next to the target instance. On the Security Group Rules page, click Fix Windows High-risk Vulnerability. For Windows systems that are not affected by these vulnerabilities, this button does not exist.

Note: We strongly recommend that you use the security group’s access control policy in the inbound direction of the Internet to restrict the source IP address of remote logon over Port 3389, thus preventing RDP-based port intrusions and reducing security risks. We also recommend that you configure the same access control policy in the inbound direction of the intranet according to your business need.

You must check the usage of Ports 137, 139, and 445, and configure access control according to your business need.

Newly bought ECS instances

The latest patch has been installed for all the Windows images provided by Alibaba Cloud since April 22, 2017.

We recommend that you adjust the security group policies when purchasing an ECS instance to only enable necessary protocols and port access control permissions.

If you need access rights to other ports from the Internet, log on to the ECS console, go to the Security Group page, and click Configure Rules next to the target instance. On the Security Group Rules page, add Allow rules for those ports. For more information, see Security group configuration guide.

Verify the fix

After the access control policy of the security group is configured, you can use the Telnet client to perform testing and verification. If no result is returned, your server is immune from Internet attacks.

The following result shows that the port is disabled and cannot be exploited by hackers.

Background

What is SMB

Server Message Block (SMB) is a protocol developed by Microsoft and Intel in 1987. It is mainly used for Microsoft network communication. SMB runs at the session layer, presentation layer, and a small portion of the application layer. SMB uses the NetBIOS API. Based on TCP/NetBIOS, SMB generally uses Ports 139 and 445.

What is RDP

Remote Desktop Protocol (RDP) is provided by Microsoft since Windows 2000 Server. It generally uses Port 3389 as the service port. RDP allows you to operate one computer that runs RDP server software in real time from another computer over a network connection, such as installing software and running programs.

However, externally exposed RDP ports are prone to security risks. For example, those ports allow an attacker to initiate brute-force attacks on server accounts. Successful attacks allow the attacker to take control of the server. Therefore, we recommend that you reinforce the security of your Windows server.